BiB 062: Globally Scalable Microsegmentation With Illumio

The following is a transcript of the audio you can listen to in the player above.

Welcome to Briefings In Brief, an audio digest of IT news and information from the Packet Pushers, including vendor briefings, industry research, and commentary. I’m Ethan Banks, it’s November 29, 2018, and here’s what’s happening. I had a briefing with Illumio earlier this month.

Who Is Illumio?

Illumio is a security company focused on preventing breaches from spreading through an organization using microsegmentation. The system works with a combination of agents and a central controller they call the Policy Compute Engine. The PCE determines, based on policy, what each endpoint in the network should be allowed to communicate with and tells the installed agents. Each agent programs the local operating system firewall service such as iptables or Windows Firewall.

And in that way, you’ve got a centrally managed security policy with granular controls you can keep up with. The Policy Compute Engine is doing the heavy lifting of figuring out exactly what rules are needed in each endpoint’s firewall. There’s more to the Illumio story, but that sets the background for the announcement I’m bringing to your attention today.

Illumio’s PCE Supercluster & Use Cases

In this briefing, Illumio discussed their Policy Compute Engine Supercluster. The PCE Supercluster is, as the name implies, a cluster of Policy Compute Engines that spans regions or even the globe. Illumio cited several scenarios driving this available architecture of their central controller.

Massive scale was one of those, and Illumio didn’t just throw a number up on the wall and expect people to believe it. In a live demo with a total of around 225K actual workloads spun up in three AWS regions around the world, they showed the Supercluster in action.

The point? Supercluster distributed controller architecture works when a single, centralized controller is likely to hit scaling limits. You can grow your microsegmentation domain as big as it needs to with this product.

A second scenario Illumio matched up with the PCE Supercluster architecture was that of large, globally distributed organizations. Why does this scenario matter to Illumio? Global companies like this often have complex applications that are communicating across the globe. For instance, a workload in one region might need to hit an authentication server in another, or perform a replication task. You get the idea.

To manage these communications well, you need a way to coordinate policy for flow between regions, and the Supercluster offers this. The alternative is manual firewall coordination at region edges, and that’s not terribly practical in an automated world. Controller federation really matters in some organizations.

Federation has a parallel benefit of offering consistent policy everywhere that an app is deployed, for example in multiple regions. Why reinvent the policy for each region? Create the policy once, then leverage that same policy in any region the PCE Supercluster lives and the app has been deployed.

For More Information

Illumio went into a lot more detail with some of the best live demos I’ve ever seen covering how the Policy Compute Engine Supercluster functions, recovers from failure scenarios, and so on.

If you’re one of those companies with tens or even hundreds of thousands of workloads distributed globally either on-premises, in the public cloud, or both, Illumio is bringing you maximally scalable microsegmentation.